npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

July 2nd security incident post-mortem

On Thursday, July 2nd we discovered a serious security issue that leaked private scoped module metadata to public replication endpoints.

Around 7.15am PT, we were notified by Jarrett Cruger and Terin Stock of unexpected data in their replication streams. We identified private data in the external replication stream, a critical security issue, and halted the stream at 7.30am. To the maximum extent possible we then purged the private data from the replication stream, and restarted it at 8.07am, at which point the leak was completely halted. The leak first began around 4pm PT on June 26th.

All npm Private Module users were alerted on July 2nd, in order to give them time to take appropriate action. This is the public disclosure, in accordance with our security policy.

Metadata about private modules was leaked, but package contents and private user information were not. This was not the result of a malicious attack. Beyond addressing the possibility of sensitive information being exposed, no additional action is required by any users of npm.

We have written a post mortem of the incident with full details, including changes to our processes and infrastructure to prevent any issues of this sort in the future.